summaryrefslogtreecommitdiff
path: root/imap/src
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2020-01-25 11:12:24 -0700
committerEduardo Chappa <chappa@washington.edu>2020-01-25 11:12:24 -0700
commitd75d2841dcf33329544fdc6e697f2402d55226d6 (patch)
tree3dc188171a86cade68951fd82ce3951122bf3199 /imap/src
parent99948a254e2c2352547b962cbd1c23738e7af6b3 (diff)
downloadalpine-d75d2841dcf33329544fdc6e697f2402d55226d6.tar.xz
* New variable system-certs-path that allows users to indicate the
location of the directory where folders are located. In PC-Alpine this must be C:\libressl\ssl\certs. The C: drive can be replaced by the name of the drive where the binary and DLL files are located.
Diffstat (limited to 'imap/src')
-rw-r--r--imap/src/osdep/nt/env_nt.c9
-rw-r--r--imap/src/osdep/nt/ssl_libressl.c99
-rw-r--r--imap/src/osdep/nt/ssl_nt.c8
-rw-r--r--imap/src/osdep/unix/ssl_unix.c26
4 files changed, 73 insertions, 69 deletions
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c
index 50063ad6..da84b10c 100644
--- a/imap/src/osdep/nt/env_nt.c
+++ b/imap/src/osdep/nt/env_nt.c
@@ -43,6 +43,7 @@ static void (*alarm_rang) (); /* alarm interrupt function */
static unsigned int rndm = 0; /* initial `random' number */
static int server_nli = 0; /* server and not logged in */
static int logtry = 3; /* number of login tries */
+static char *sslCApath = NIL; /* non-standard CA path */
/* block notification */
static blocknotify_t mailblocknotify = mm_blocknotify;
/* callback to get username */
@@ -127,6 +128,13 @@ void *env_parameters (long function,void *value)
case GET_BLOCKNOTIFY:
ret = (void *) mailblocknotify;
break;
+ case SET_SSLCAPATH: /* this can be set null */
+ if (sslCApath) fs_give ((void **) &sslCApath);
+ sslCApath = value ? cpystr ((char *) value) : value;
+ break;
+ case GET_SSLCAPATH:
+ ret = (void *) sslCApath;
+ break;
}
return ret;
}
@@ -777,4 +785,5 @@ void env_end(void)
if(myHomeDir) fs_give((void **) &myHomeDir);
if(myNewsrc) fs_give((void **) &myNewsrc);
if(sysInbox) fs_give((void **) &sysInbox);
+ if(sslCApath) fs_give((void **) &sslCApath);
}
diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c
index c44c1e94..366fae01 100644
--- a/imap/src/osdep/nt/ssl_libressl.c
+++ b/imap/src/osdep/nt/ssl_libressl.c
@@ -1,20 +1,14 @@
/* ========================================================================
- * Copyright 2018 Eduardo Chappa
- * Copyright 2008-2009 Mark Crispin
+ * Copyright 2018-2020 Eduardo Chappa
* ========================================================================
*/
/*
* Program: SSL authentication/encryption module for Windows 9x and NT
*
- * Author: Mark Crispin
+ * Author: Eduardo Chappa, based on ssl_unix.c
*
- * Date: 22 September 1998
- * Last Edited: 8 November 2009
- *
- * Previous versions of this file were
- *
- * Copyright 1988-2008 University of Washington
+ * Last Edited: January 25, 2020
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -73,7 +67,8 @@ typedef struct ssl_stream {
#include "sslio.h"
/* Function prototypes */
-const SSL_METHOD *ssl_connect_mthd(int flag);
+int ssl_disable_mask(int ssl_version, int direction);
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv);
static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
@@ -109,20 +104,20 @@ pith_ssl_encryption_version(char *s)
{ "tls1_3", TLS1_3_VERSION },
#endif /* TLS1_3_VERSION */
{ "no_max", 0 }, /* set this last in the list */
- { NULL, 0 },
+ { NIL, 0 },
};
int i;
- if (s == NULL || *s == '\0')
+ if (s == NIL || *s == '\0')
return -1;
- for (i = 0; ssl_versions[i].name != NULL; i++)
+ for (i = 0; ssl_versions[i].name != NIL; i++)
if (strcmp(ssl_versions[i].name, s) == 0)
break;
if (strcmp(s, "no_max") == 0) i--;
- return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1;
+ return ssl_versions[i].name != NIL ? ssl_versions[i].version : -1;
}
/* Secure Sockets Layer network driver dispatch */
@@ -158,9 +153,9 @@ void ssl_onceonlyinit (void)
/* if system doesn't have /dev/urandom */
if (stat ("/dev/urandom",&sbuf)) {
strcpy(tmp, "SSLXXXXXX");
- fd = fopen(tmp,"a");
- fstat (fd,&sbuf); /* get information about the file */
+ fd = open(tmp,"a");
close (fd); /* flush descriptor */
+ fstat (fd,&sbuf); /* get information about the file */
unlink (tmp); /* don't need the file */
/* not great but it'll have to do */
sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx",
@@ -174,7 +169,7 @@ void ssl_onceonlyinit (void)
mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver);
mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start);
#ifdef OPENSSL_1_1_0
- OPENSSL_init_ssl(0, NULL);
+ OPENSSL_init_ssl(0, NIL);
#else
SSL_library_init (); /* add all algorithms */
#endif /* OPENSSL_1_1_0 */
@@ -253,7 +248,7 @@ int ssl_disable_mask(int ssl_version, int direction)
/* ssl_connect_mthd: returns a context pointer to the connection to
* a ssl server
*/
-const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv)
{
int client_request;
client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION
@@ -266,55 +261,55 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
#endif
: 0;
- *min = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
- *max = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
+ *minv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MIN, NIL);
+ *maxv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MAX, NIL);
/*
* if no special request, negotiate the maximum the client is configured
* to negotiate
*/
if (client_request == 0)
- client_request = *max;
+ client_request = *maxv;
- if (client_request < *min || client_request > *max)
+ if (client_request < *minv || client_request > *maxv)
return NIL; /* out of range? bail out */
- /* Some Linux distributors seem to believe that it is ok to disable some of
- * these methods for their users, so we have to test that every requested
- * method has actually been compiled in into their openssl/libressl library.
- * Oh well...
- */
+ /* Some Linux distributors seem to believe that it is ok to disable some of
+ * these methods for their users, so we have to test that every requested
+ * method has actually been compiled in into their openssl/libressl library.
+ * Oh well...
+ */
#ifndef OPENSSL_1_1_0
if (client_request == SSL3_VERSION)
#ifndef OPENSSL_NO_SSL3_METHOD
- return SSLv3_client_method();
+ return SSLv3_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_SSL3_METHOD */
else if (client_request == TLS1_VERSION)
#ifndef OPENSSL_NO_TLS1_METHOD
- return TLSv1_client_method();
+ return TLSv1_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_TLS1_METHOD */
else if (client_request == TLS1_1_VERSION)
#ifndef OPENSSL_NO_TLS1_1_METHOD
- return TLSv1_1_client_method();
+ return TLSv1_1_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_TLS1_1_METHOD */
else if (client_request == TLS1_2_VERSION)
#ifndef OPENSSL_NO_TLS1_2_METHOD
- return TLSv1_2_client_method();
+ return TLSv1_2_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_TLS1_2_METHOD */
#ifdef TLS1_3_VERSION /* this is only reachable if TLS1_3 support exists */
else if (client_request == TLS1_3_VERSION)
#ifndef OPENSSL_NO_TLS1_3_METHOD
- return TLS_client_method();
+ return TLS_client_method();
#else
- return NIL;
+ return NIL;
#endif /* #ifndef OPENSSL_NO_TLS1_2_METHOD */
#endif /* TLS1_3_VERSION */
#endif /* ifndef OPENSSL_1_1_0 */
@@ -389,7 +384,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
BIO *bio;
X509 *cert;
unsigned long sl, tl;
- int min, max;
+ int minv, maxv;
int masklow, maskhigh;
char *s, *t, *err, tmp[MAILTMPLEN], buf[256];
sslcertificatequery_t scq =
@@ -400,24 +395,24 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
(sslclientkey_t)mail_parameters(NIL, GET_SSLCLIENTKEY, NIL);
if (ssl_last_error) fs_give((void **)&ssl_last_error);
ssl_last_host = host;
- if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &min, &max))))
+ if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &minv, &maxv))))
return "SSL context failed";
SSL_CTX_set_options(stream->context, 0);
- masklow = ssl_disable_mask(min, -1);
- maskhigh = ssl_disable_mask(max, 1);
+ masklow = ssl_disable_mask(minv, -1);
+ maskhigh = ssl_disable_mask(maxv, 1);
SSL_CTX_set_options(stream->context, masklow | maskhigh);
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL);
else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify);
- /* set default paths to CAs... */
- SSL_CTX_set_default_verify_paths(stream->context);
- /* ...unless a non-standard path desired */
- if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NULL)
- SSL_CTX_load_verify_locations(stream->context, NIL, s);
+ /* a non-standard path desired */
+ if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL)
+ SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s);
+ else /* otherwise we set default paths to CAs... */
+ SSL_CTX_set_default_verify_paths(stream->context);
/* want to send client certificate? */
if (scc && (s = (*scc) ()) && (sl = strlen(s))) {
- if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NULL) {
+ if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) {
SSL_CTX_use_certificate(stream->context, cert);
X509_free(cert);
}
@@ -427,7 +422,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
if ((t = (sck ? (*sck) () : s)) && (tl = strlen(t))) {
EVP_PKEY *key;
if ((key = PEM_read_bio_PrivateKey(bio = BIO_new_mem_buf(t, tl),
- NIL, NIL, "")) != NULL) {
+ NIL, NIL, "")) != NIL) {
SSL_CTX_use_PrivateKey(stream->context, key);
EVP_PKEY_free(key);
}
@@ -535,7 +530,7 @@ static char *ssl_validate_cert (X509 *cert,char *host)
if(m == 0 || ret != NIL){
cname = X509_get_subject_name(cert);
for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
- if((e = X509_NAME_get_entry(cname, j)) != NULL){
+ if((e = X509_NAME_get_entry(cname, j)) != NIL){
X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
s = (char *) buf;
}
@@ -951,8 +946,8 @@ void ssl_server_init (char *server)
sizeof (SSLSTREAM));
ssl_onceonlyinit (); /* make sure algorithms added */
#ifdef OPENSSL_1_1_0
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
- OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL);
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL);
#else
ERR_load_crypto_strings ();
SSL_load_error_strings ();
@@ -1065,7 +1060,7 @@ static RSA *ssl_genkey (SSL_CTX_TYPE *con,int export,int keylength)
}
#ifdef OPENSSL_1_1_0
BN_free(e);
- e = NULL;
+ e = NIL;
#endif /* OPENSSL_1_1_0 */
}
return key;
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 5bc04ab8..71695766 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -23,8 +23,8 @@
* http://www.apache.org/licenses/LICENSE-2.0
*
*/
-//#ifdef ENABLE_WINDOWS_LIBRESSL
-//#include "ssl_libressl.c"
-//#else
+#if !defined(ENABLE_WINDOWS_LIBRESSL) || !defined(W32BITSBUILD)
#include "ssl_win.c"
-//#endif /* ENABLE_WINDOWS_LIBRESSL */
+#else
+#include "ssl_libressl.c"
+#endif
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 93fb1a9a..57931525 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -75,7 +75,7 @@ typedef struct ssl_stream {
/* Function prototypes */
int ssl_disable_mask(int ssl_version, int direction);
-const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max);
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv);
static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
@@ -257,7 +257,7 @@ int ssl_disable_mask(int ssl_version, int direction)
/* ssl_connect_mthd: returns a context pointer to the connection to
* a ssl server
*/
-const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv)
{
int client_request;
client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION
@@ -270,17 +270,17 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
#endif
: 0;
- *min = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
- *max = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
+ *minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
+ *maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
/*
* if no special request, negotiate the maximum the client is configured
* to negotiate
*/
if(client_request == 0)
- client_request = *max;
+ client_request = *maxv;
- if(client_request < *min || client_request > *max)
+ if(client_request < *minv || client_request > *maxv)
return NIL; /* out of range? bail out */
/* Some Linux distributors seem to believe that it is ok to disable some of
@@ -392,7 +392,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
BIO *bio;
X509 *cert;
unsigned long sl,tl;
- int min, max;
+ int minv, maxv;
int masklow, maskhigh;
char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
sslcertificatequery_t scq =
@@ -403,21 +403,21 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
(sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL);
if (ssl_last_error) fs_give ((void **) &ssl_last_error);
ssl_last_host = host;
- if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &min, &max))))
+ if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &minv, &maxv))))
return "SSL context failed";
SSL_CTX_set_options (stream->context,0);
- masklow = ssl_disable_mask(min, -1);
- maskhigh = ssl_disable_mask(max, 1);
+ masklow = ssl_disable_mask(minv, -1);
+ maskhigh = ssl_disable_mask(maxv, 1);
SSL_CTX_set_options(stream->context, masklow|maskhigh);
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
- /* set default paths to CAs... */
- SSL_CTX_set_default_verify_paths (stream->context);
- /* ...unless a non-standard path desired */
+ /* if a non-standard path desired */
if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL)
SSL_CTX_load_verify_locations (stream->context,NIL,s);
+ else /* set default paths to CAs... */
+ SSL_CTX_set_default_verify_paths (stream->context);
/* want to send client certificate? */
if (scc && (s = (*scc) ()) && (sl = strlen (s))) {
if ((cert = PEM_read_bio_X509 (bio = BIO_new_mem_buf (s,sl),NIL,NIL,NIL)) != NULL) {